Tim Steinbach
5dda1324be
linux-hardened: Disable GCC_PLUGIN_RANDSTRUCT
2017-10-11 13:50:20 -04:00
Jan Malakhovski
62fa45eac5
linuxPackages: hardened-config: enable DEBUG_PI_LIST
2017-09-16 13:14:05 +02:00
Jan Malakhovski
c345761c13
linuxPackages: hardened-config: check kernelArch, not system
2017-09-16 13:14:04 +02:00
Jan Malakhovski
616a7fe237
linuxPackages: hardened-config: disable BUG_ON_DATA_CORRUPTION
for older kernels
...
They don't support it.
2017-09-16 13:14:03 +02:00
Joachim Fasting
dd170cd5df
hardened-config: build with fortify source
2017-09-16 00:31:25 +02:00
Joachim Fasting
9a763f8f59
hardened-config: enable the randstruct plugin
2017-09-16 00:31:23 +02:00
Joachim Fasting
edd0d2f2e9
hardened-config: additional refcount checking
2017-09-16 00:31:17 +02:00
Joachim Fasting
345e0e6794
hardened-config: enable read-only LSM hooks
...
Implies that SELinux can no longer be disabled at runtime (only at boot
time, via selinux=0).
See https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dd0859dccbe291cf8179a96390f5c0e45cb9af1d
2017-08-11 23:27:58 +02:00
Joachim Fasting
f963014829
linux-hardened-config: various fixups
...
Note
- the kernel config parser ignores "# foo is unset" comments so they
have no effect; disabling kernel modules would break *everything* and so
is ill-suited for a general-purpose kernel anyway --- the hardened nixos
profile provides a more flexible solution
- removed some overlap with the common config (SECCOMP is *required* by systemd;
YAMA is enabled by default).
- MODIFY_LDT_SYSCALL is guarded by EXPERT on vanilla so setting it to y breaks
the build; fix by making it optional
- restored some original comments which I feel are clearer
2017-08-06 23:38:07 +02:00
Tim Steinbach
ff10bafd00
linux: Expand hardened config
...
Based on latest recommendations at
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
2017-08-06 09:58:02 -04:00
Joachim Fasting
77ed860114
linux_hardened: enable checks on scatter-gather tables
...
Recommended by kspp
2017-05-18 12:33:42 +02:00
Joachim Fasting
996b65cfba
linux_hardened: enable structleak plugin
...
A port of the PaX structleak plugin. Note that this version of structleak
seems to cover less ground than the PaX original (only marked structs are
zeroed). [1]
[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c61f13eaa1ee17728c41370100d2d45c254ce76f
2017-05-09 01:38:26 +02:00
Joachim Fasting
1816e2b960
linux_hardened: BUG on struct validation failure
2017-05-09 01:38:24 +02:00
Joachim Fasting
a7ecdffc28
linux_hardened: move to 4.11
...
Note that DEBUG_RODATA has been split into STRICT_KERNEL_RWX &
STRICT_MODULE_RWX, which are on by default (non-optional).
2017-05-09 01:38:22 +02:00
Joachim Fasting
42c58cd2e8
linux_hardened: compile with stackprotector-strong
...
Default is regular, which we need to unset for kconfig to accept the new
value.
2017-05-09 01:38:21 +02:00
Joachim Fasting
62f2a1c2be
linux_hardened: init
...
The rationale for this is to have a place to enable hardening features
that are either too invasive or that may be speculative/yet proven to be
worthwhile for general-purpose kernels.
2017-04-30 12:05:39 +02:00